-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 21 Jun 2026 11:32:55 +0200
Source: sogo
Architecture: source
Version: 5.8.0-2+deb12u3
Distribution: bookworm-security
Urgency: medium
Maintainer: Debian SOGo Maintainers 
<[email protected]>
Changed-By: Peter Wienemann <[email protected]>
Closes: 1131605 1131606
Changes:
 sogo (5.8.0-2+deb12u3) bookworm-security; urgency=medium
 .
   * Non-maintainer upload.
 .
   [ Peter Wienemann ]
   * Add patch to fix CVE-2026-46445 and CVE-2026-46446:
     - CVE-2026-46445: SQL injection vulnerability when at least one user
       source is a PostgreSQL database
     - CVE-2026-46446: SQL injection vulnerability when at least one user
       source is an SQL database (MariaDB or PostgreSQL) and passwords are
       stored in plain text
   * Add patch to fix CVE-2025-71276: (Closes: #1131605)
     XSS with events, tasks and contacts categories
   * Add patch to fix CVE-2026-33550: (Closes: #1131606)
     TOTP vulnerabilities:
     - If a user disables/enables it, it is not renewed.
     - Length is too short (12 rather than recommended 20).
   * Add patch to fix CVE-2026-8496:
     A maliciously crafted ICS calendar invitation file allows arbitrary
     JavaScript execution within the authenticated SOGo webmail session.
   * Add patch to fix a regression introduced by fix for CVE-2026-8496
   * Add patch to fix CVE-2026-8851:
     SQL injection vulnerability in the access control list
     management functionality that allows authenticated users to extract
     arbitrary data from the database by injecting SQL subqueries through
     the uid parameter of the addUserInAcls endpoint.
   * Add patch to fix folder path in fix for CVE-2026-8851
   * Add patch to fix XSS in message subject rendering
 .
   [ Jordi Mallach ]
   * Add upstream patch to fix impersonation issues when importing events.
Checksums-Sha1:
 03c7f04c5292af91d32259f5e2c94ea7803ec2d9 2296 sogo_5.8.0-2+deb12u3.dsc
 53cf3471d97d0ea029b07b9f31d1a42afb6a3bd8 34926380 sogo_5.8.0.orig.tar.gz
 e623dda80b1ffd7a584b972bd886fd2cfb893607 29356 
sogo_5.8.0-2+deb12u3.debian.tar.xz
 e4d39814af09c6f7b888b5202098001433a75062 5923 
sogo_5.8.0-2+deb12u3_source.buildinfo
Checksums-Sha256:
 7bba4329203b4ca90843633f2a9dfe180363a96ca7333c8e5c226671411103b5 2296 
sogo_5.8.0-2+deb12u3.dsc
 0031e30f48b523ec5c015f5f3fe90184e8a9abdfa3efe3ab08fd980ab7173380 34926380 
sogo_5.8.0.orig.tar.gz
 c98bd09daa542ff0630c2338f7b70dda8bf0054c9573fe07f6ed474791d2a711 29356 
sogo_5.8.0-2+deb12u3.debian.tar.xz
 9e0d87fe70ddb66ddc29a626adec806a15d2478b300b90849350562525915163 5923 
sogo_5.8.0-2+deb12u3_source.buildinfo
Files:
 994a81de1a645341c84e9bde70ff8086 2296 mail optional sogo_5.8.0-2+deb12u3.dsc
 07da886b2b4faa942d68af8a3d6a38a6 34926380 mail optional sogo_5.8.0.orig.tar.gz
 aabd6d2e1027f57630b56ce12587e907 29356 mail optional 
sogo_5.8.0-2+deb12u3.debian.tar.xz
 4658f6c24920e60303e46f652b83743d 5923 mail optional 
sogo_5.8.0-2+deb12u3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEwv5L0nHBObhsUz5GHpU+J9QxHlgFAmpCsuQACgkQHpU+J9Qx
HlhNrg/9G8oosRxVwON0PsjiaT/QWF54xoatJ+A7fYinn5Iv3JdqzKq8abSMfCoq
y4HwEyCzPuWmDZ97Ylw+g12ps42BCJ03/6A9P4DIRztmWugNm3yOsS82Zdx+Fhl8
QSpW6mHHhuteyDaKMPJAfblFKJl5YBs8NLFdgAYNqcuNSEri2StUropBx/4Sv6d8
PnORHN49P0qw6rAVgpiWQQX7q0RsyyImqgffy3D9DKvL273b7wQimmYjsM/y+T8J
hzUKC6iC3Ut/VqRm0tn+6ddJ3+xdKazKkqi+jifd3vrn6U/huSBkf/egRELNP7gh
T5obbOAm0iMeYUOBZG5h0RWHApDLkymFIZzPQSkWTOkH1UXJZK7pBeenfVRzN+Fe
PXrWrhyiJOGfmyl+nyFoNYKFNtlnpccuHrtqrT0Z2oSzAKFGuG1KWZJ8Z102SzgZ
OWkLuWPSopxQ7SJ3BUFnlTUm1JTctjxw378XaDt02tSrIP5Sp7lBvKApmkeBtbUm
Mnncqp/v1gBzB9vXASpvpn+c3X/QLkk73rqN6EoLXoCUxDSrwBog/sgr3Mef3Is3
Ox9ci6uSRcodbAwTDxTLn/exjjAIOxVorAXa/i2qX092mc9qnvQKG/0BOymyj/Qs
NUEehWrY4FRhHA99VpsuDfAzFvFLpf0zhzCjVRaVCKNQlG/8NyY=
=GJRn
-----END PGP SIGNATURE-----

Attachment: pgp362BduAKtv.pgp
Description: PGP signature

Reply via email to